If we could constrain the hardware's interface to more closely match the
application's event model, we could prevent many attacks by disallowing
the transfer of control that they use to take over.
What kind of tools could we use to constrain a program's allowed
transfers? The compiler is a natural place to position a tool for
checking transfers.